NAVAL 

POSTGRADUATE 

SCHOOL 

MONTEREY,  CALIEORNIA 


THESIS 


EFFECTIVENESS  OF  THE  FACTORY  RESET  ON  A 

Thesis  Advisor; 

MOBILE  DEVICE 

by 

Riqui  Schwamm 

March  2014 

Neil  Rowe 

Second  Reader: 

Simson  Garfinkel 

Approved  for  public  release;  distribution  is  unlimited 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


REPORT  DOCUMENTATION  PAGE 


Form  Approved  OMB  No.  0704-0188 


Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instruction, 
searching  existing  data  sources,  gathering  and  maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send 
comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information,  including  suggestions  for  reducing  this  burden,  to 
Washington  headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington,  VA 
22202-4302,  and  to  the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704-0188)  Washington  DC  20503. 


1.  AGENCY  USE  ONLY  (Leave  blank)  2.  REPORT  DATE  3.  REPORT  TYPE  AND  DATES  COVERED 

March  2014  Master’ s  Thesis 


4.  TITLE  AND  SUBTITLE 

EFFECTIVENESS  OF  THE  FACTORY  RESET  ON  A  MOBILE  DEVICE 


6.  AUTHOR(S)  Riqui  Schwamm 


7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Naval  Postgraduate  School 
Monterey,  CA  93943-5000 


9.  SPONSORING  /MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 


5.  FUNDING  NUMBERS 


8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 


10.  SPONSORING/MONITORING 
AGENCY  REPORT  NUMBER 


11.  SUPPLEMENTARY  NOTES  The  views  expressed  in  this  thesis  are  those  of  the  author  and  do  not  reflect  the  official  policy 
or  position  of  the  Department  of  Defense  or  the  U.S.  Government.  IRB  Protocol  number _ N/A _ . 


12a.  DISTRIBUTION  /  AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  is  unlimited 


13.  ABSTRACT  (maximum  200  words) 


12b.  DISTRIBUTION  CODE 


All  mobile  phones  use  internal  flash  memory  to  store  information.  The  flash  memory  contains  personal  user  data  that 
can  be  extracted  with  the  use  of  forensics  tools.  This  information  could  be  used  to  profile  a  user’s  daily  activity. 
However,  all  smartphones  provide  a  tool  to  erase  (factory  reset)  the  information  from  the  flash  memory.  Twenty-one 
smartphones  were  used  to  evaluate  the  effectiveness  of  the  factory-reset  feature.  A  set  of  forensics  tools  from 
Cellebrite  was  used  for  the  extraction  and  analysis  process.  The  factory-reset  feature  was  found  to  leave  significant 
amounts  of  user-generated  content  after  operation.  The  amount  of  user-generated  content  varied  by  vendor  and  model 
number.  Extracted  data  are  presented  as  evidence  to  show  the  ineffectiveness  of  the  reset.  User  data  such  as 
photographs,  audio  files,  text  files,  login  information  and  geolocation  data  were  left  on  the  phone.  The  data  analysis 
uncovered  the  unreliable  nature  of  a  factory  reset  and  how  the  user  is  not  properly  protected. 


14.  SUBJECT  TERMS  Android  Operating  System,  Apple  iOS,  Mobile  Forensics,  smartphone, 
personal  user  data 


17.  SECURITY 
CLASSIFICATION  OF 
REPORT 

Unclassified 


NSN  7540-01-280-5500 


18.  SECURITY 
CLASSIFICATION  OF  THIS 
PAGE 

Unclassified 


19.  SECURITY 
CLASSIFICATION  OF 
ABSTRACT 

Unclassified 


15.  NUMBER  OF 
PAGES 

67 


16.  PRICE  CODE 


20.  LIMITATION  OF 
ABSTRACT 


Standard  Form  298  (Rev.  2-89) 
Prescribed  by  ANSI  Std.  239-18 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


11 


Approved  for  public  release;  distribution  is  unlimited 


EFFECTIVENESS  OF  THE  FACTORY  RESET  ON  A  MOBILE  DEVICE 


Riqui  Schwamm 
Civilian,  Department  of  the  Navy 
B.S.,  California  State  University,  Monterey  Bay,  2011 


Submitted  in  partial  fulfillment  of  the 
requirements  for  the  degree  of 


MASTER  OF  SCIENCE  IN  COMPUTER  SCIENCE 

from  the 


NAVAL  POSTGRADUATE  SCHOOL 
March  2014 


Author:  Riqui  Sehwamm 


Approved  by:  Neil  Rowe 

Thesis  Advisor 


Simson  Garfinkel 
Seeond  Reader 


Peter  J.  Denning 

Chair,  Department  of  Computer  Seienee 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


IV 


ABSTRACT 


All  mobile  phones  use  internal  flash  memory  to  store  information.  The  flash  memory 
eontains  personal  user  data  that  can  be  extracted  with  the  use  of  forensics  tools.  This 
information  could  be  used  to  profile  a  user’s  daily  activity.  However,  all  smartphones 
provide  a  tool  to  erase  (factory  reset)  the  information  from  the  flash  memory.  Twenty-one 
smartphones  were  used  to  evaluate  the  effectiveness  of  the  factory-reset  feature.  A  set  of 
forensics  tools  from  Cellebrite  was  used  for  the  extraction  and  analysis  process.  The 
factory-reset  feature  was  found  to  leave  significant  amounts  of  user-generated  content 
after  operation.  The  amount  of  user-generated  content  varied  by  vendor  and  model 
number.  Extracted  data  are  presented  as  evidence  to  show  the  ineffectiveness  of  the  reset. 
User  data  such  as  photographs,  audio  files,  text  fdes,  login  information  and  geolocation 
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I.  INTRODUCTION 


A.  MOBILE  DEVICES,  APPLICATIONS,  AND  USER  DATA 

There  has  been  significant  growth  in  personal  smartphone  devices.  In  June  2013, 
the  Google  Android  smartphone  held  51.8%  of  the  market,  the  highest  share  in  the  U.S. 
Table  1  [1].  Apple  iOS  maintained  the  second  largest  share  at  40.6%,  followed  by 
BlackBerry  at  3.4%  and  Microsoft  at  3.1%  [1].  Symbian  still  holds  a  0.2%  market  share 
but  has  been  discontinued  by  Nokia.  The  last  Symbian  smartphone  was  shipped  in  mid- 
2012,  according  to  the  company’s  2012  Interim  Report  [2]. 


Top  Smartphone  Platforms 

3  Month  Avg.  Ending  Dec.  2013  vs.  3  Month  Avg.  Ending  Sep.  2013 
Total  U.S.  Smartphone  Suhscrihers  Age  13+ 

Source:  comScore  MohiLens 

Share  (%)  of  Smartphone  Suhscrihers 


Sep-13 

Dec- 13 

Point  Change 

Android 

51.8% 

51.5% 

-0.3 

Apple 

40.6% 

41.8% 

1.2 

BlackBerry 

3.8% 

3.4% 

-0.4 

Microsoft 

3.3% 

3.1% 

-0.2 

Symbian 

0.3% 

0.2% 

-0.1 

Total  Smartphone  Suhscrihers 

100.0% 

100.0% 

Table  1.  Top  Smartphone  Platforms  (from  [1]). 


Mobile  phones  use  flash-memory  [3]  to  store  the  base  mobile  operating  system 
(OS),  applications  (apps),  and  user  data.  First-party  applications  are  software  created  by 
the  operating-system  provider.  For  example,  the  Android  smartphone  includes  a 
Phonebook,  a  calendar  and  text-messaging  applications  created  by  Google’s  own 
software-development  team.  Third-party  applications  are  created  by  developers  other 
than  the  provider  of  the  mobile  operating  system. 

The  internal  flash  memory  of  a  mobile  device  contains  several  types  of  user¬ 
generated  information  such  as  phone  numbers,  addresses.  Short  Message  Service  (SMS) 
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text  messages,  and  cell  data.  These  data  can  be  extracted  with  the  use  of  digital  forensics 
tools  and  used  to  profile  a  user’s  activity.  Digital  forensics  is  a  branch  of  forensic  science 
that  investigates  digital  information  stored  in  various  electronic  media.  It  can  help 
investigate  cybercrime,  computer-based  terrorism,  and  computer  hacking  involving 
digital  environments. 

All  smartphones  provide  a  way  to  erase  (reset)  personal  information  from  flash 
memory.  The  main  focus  of  this  thesis  will  be  to  evaluate  the  effectiveness  of  “factory 
data  reset”  feature  on  smartphones.  A  detailed  and  comprehensive  survey  can  benefit  not 
only  the  forensic  community,  but  also  anyone  who  uses  a  smartphone.  The  end  result  will 
help  illustrate  the  limits  of  privacy  protection  offered  by  factory-reset  features.  It  can  also 
contribute  to  improved  smartphone  security  and  privacy  policies  if  venders  use  this 
research  to  improve  their  products. 

B.  RESEARCH  QUESTIONS 

This  thesis  attempts  to  answer  one  primary  question: 

•  How  much  user-generated  data  is  left  on  a  smartphone  after  using  the 
mobile  phone’s  factory  reset/wipe  function? 

Two  secondary  questions  also  need  to  be  addressed: 

•  How  much  private/personal  information  can  be  extracted  after  the  wipe? 

•  Can  recovered  data  be  used  to  identify  or  profile  a  user? 

C.  THESIS  STRUCTURE 

The  remainder  of  the  thesis  is  organized  as  follows.  Chapter  II  will  discuss  prior 
work  in  mobile  forensics  and  similar  research  work  done  under  this  topic.  Chapter  III  will 
cover  the  process  of  forensics  research  all  hardware,  software  and  computer 
environments  used  in  these  experiments.  Chapter  IV  will  cover  experiments  with  some 
sample  memory  images.  Chapter  V  will  end  with  conclusions  and  propose  future  research 
work. 
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II.  BACKGROUND  AND  RELATED  WORK 


A.  GROWTH  OF  SMARTPHONES  AND  MOBILE  COMPUTERING 

Mobile  phones  have  become  a  significant  consumer  product  in  recent  years.  A 
telephone  survey  by  Google  Inc.  of  2,000  adults  in  five  countries  [4]  found  that 
consumers  own  mobile  phones  more  than  any  other  mobile  devices  As  Table  3  depicts, 
the  survey  found  that  Japan  has  highest  adoption  rate  of  mobile  phones  (96%),  followed 
by  the  United  Kingdom  (87%). 


United 

States 

United 

Kingdom 

France 

Germany 

Japan 

Feature  phone/Smartphone 

78% 

87% 

74% 

76% 

96% 

Media  player  with  web  access 

24% 

17% 

23% 

12% 

30% 

Tablet  PC  Slate/Pad 

9% 

4% 

3% 

3% 

5% 

Handheld  gaming  device 

15% 

17% 

14% 

7% 

42% 

eReader 

9% 

3% 

1% 

1% 

2% 

Table  2.  Mobile  Internet  &  Smartphone  Adoption:  October  201 1  (from  [4]). 


A  smartphone  contains  much  of  the  functionality  of  a  desktop  PC,  but  it  also 
includes  radio  communications  capabilities  that  desktop  PCs  typically  lack. 
Communication  functionalities  include  GSM/CDMA  radio.  Near  Field  Communications, 
GPS,  Wi-Fi  and  Bluetooth  communication.  The  high  mobility  of  these  devices  can  be  the 
most  important  factor  in  the  shift  from  desktop/laptop  computer  to  smartphones.  Unlike 
laptops  or  desktop  computers,  a  smartphone  can  easily  fit  in  a  pocket.  It  is  a  computer 
that  is  easy  to  use  and  small  enough  to  be  used  almost  anywhere.  A  user  can  browse  the 
Internet,  check  email,  use  GPS  navigation,  and  make  online  payments  from  personal 
bank  accounts.  Hence,  a  device  this  capable  is  also  likely  to  contain  personal  user  data. 

There  are  various  ways  a  user  can  protect  his  or  her  personal  information  on 
smartphones.  Android  and  iOS  phones  can  be  set  up  require  a  login  password.  Some 
phones  include  a  data  encryption  method  to  protect  sensitive  data.  Also,  third-party 
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developers’  market  mobile  protection/encryption  software  [5]  can  be  installed  on  both 
Android  and  iOS  phones.  The  iPhone  has  hardware  encryption  enabled  by  default  for  all 
data  stored  in  memory.  There  is  also  a  Data  Protection  API  provided  by  Apple  that  can  be 
used  to  implement  application-level  encryption. 

In  addition,  common  smartphones  on  the  market  today  include  some  kind  of 
“factory  reset”  feature.  A  factory  reset  is  similar  to  formatting  a  hard  disk  drive  on  a 
computer  system,  but  the  details  differ.  Formatting  deletes  all  pre-existing  partitions  and 
data  on  the  hard  drive  and  creates  a  new  file  system.  The  factory  reset  is  intended  to 
remove  everything  except  pre-installed  software,  deleting  user  data  in  particular. 

The  following  is  a  list  of  data  that  should  be  erased  by  the  factory  reset  [6],  [7]. 

•  User  account  information  (including  email  address) 

•  User  settings  for  the  operating  system  and  applications 

•  Downloaded  third-party  applications 

•  Downloaded  music  (.mp3s,  .flac,  and  .aac) 

•  Downloaded  images  and  photos  taken  by  the  camera  (.jpg,  .png) 

•  Other  user  data  (address  book/phone  book/calendar  data) 

The  data  that  should  be  left  behind  after  a  factory  reset  is: 

•  The  operating  system  installed  with  the  smartphone 

•  First-party  software  (the  operating  system  and  associated  software  of  the 
main  vendor)  and  software  (by  other  vendors  authorized  by  the  main 
vendor)  bundled  with  the  operating  system 

•  SD  card  files,  as  contrasted  with  files  on  the  main  flash  memory  on  the 
phone 

B.  PRIOR  WORK 

Very  little  academic  research  has  been  conducted  regarding  the  correctness  of  the 
factory  reset  feature  on  smartphones.  However,  there  have  been  numerous  articles  on 
technology  websites  discussing  potential  risks  [8],  [9],  [10].  The  following  are  examples 
of  the  kinds  of  data  left  behind  after  a  factor  reset,  from  the  GottaBeMobile:  Mobile  News 
&  Reviews  website: 
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•  Pom 

•  Court  records 

•  Social  Security  Numbers 

•  Resumes 

•  College  applications 

•  Cookies 

•  Child  support  documents 

•  Employee  records 

•  Bank  statements 

•  Credit  card  statements 

•  Tax  returns 

•  Emails 

•  Contact  lists 

•  Photos 

The  authors  tested  secondhand  phones  purchased  through  Craigslist,  which  they 
then  reset  using  the  factory  feature.  The  article  concluded  that  the  factory-reset  feature 
did  not  work  as  expected. 

Another  publication  studied  the  effectiveness  of  the  factory  reset  for  network  data 
structures  left  on  an  Android  device  [11].  The  primary  question  was  “Do  sufficient 
residual  artifacts  exist  on  mobile  devices  to  extract  enough  data  to  identify  the  device’s 
previous  network  access  points?”  The  research  used  controlled  data  transfers  between 
Android  smartphones  and  multiple  network  access  points  (cellular,  wireless,  and 
Bluetooth).  Residual  data  left  on  test  devices  included  “userdata”  partitions  containing 
Service  Set  Identifiers  (SSID),  wireless-router  Subscriber  Identity  Modules  (SIM),  DHCP 
ACKs  from  wireless  routers,  and  base-station  metadata  that  included  the  Mobile  Network 
Code  (MNC),  Mobile  Country  Code  (MCC),  Eocal  Area  Code  (EAC)  and  Cell 
Identification  (CID),  wireless  router  Media  Access  control  (MAC)  addresses,  and 
Bluetooth  MAC  address  of  devices  paired  with  the  phone.  It  concluded  that  the  factory- 
reset  feature  was  not  sufficient  in  deleting  user-generated  network  data. 

This  thesis  expands  the  research  scope  by  analyzing  all  user-generated  content.  It 
analyzes  all  types  of  residual  artifacts  left  behind  after  a  factory  reset. 
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III.  DIGITAL  FORENSICS  TOOLS 


A.  COMPUTER  FORENSICS 

Computer  forensic  investigations  follow  a  similar  process  to  other  forensic 
investigations  [12].  The  process  involves  acquisition,  analysis  and  reporting  of  potential 
evidence  involving  criminal  activity.  The  evidence  can  be  collected  from  any  type  of 
storage  media.  Examples  of  storage  media  are: 

•  A  hard  disk  drive  from  computer  system 

•  A  CD/DVD/Blu-ray  optical  disk 

•  A  MO  magnetic  disk 

•  A  CF/SM/MMC  memory  card 

•  A  mobile  SIM  card 

•  A  USB  flash  memory 

Forensic  tools  can  be  used  to  acquire  data  from  storage  media  by  physical  or 
logical  acquisition.  Physical  acquisition  is  a  bit-by-bit  copy  of  an  entire  physical  store  of 
data.  Fogical  acquisition  is  a  bit-by-bit  copy  of  the  logical  storage  object  such  as 
directories  and  files. 

The  National  Institute  of  Standards  and  Technology  provides  guidelines  for 
forensic  data  acquisition  and  specifications  for  forensic  tools  [13].  NIST’s  Computer 
Forensics  Tool  Testing  (CFTT)  program  establishes  the  methodology  for  testing 
computer  forensic  software.  CFTT  is  part  of  the  Software  Diagnostics  and  Conformance 
Testing  Division  which  is  supported  by  The  Office  of  Faw  Enforcement  Standards.  The 
project  provides  a  means  to  help  understand  the  capability,  limitations,  and  validity  of 
computer  forensics  tools.  The  tools  to  be  tested  are  broken  up  into  several  categories: 
disk  imaging,  forensic  media  preparation;  write-blocking  software,  write-blocking 
hardware,  and  mobile  devices. 

Disk  imaging  is  the  process  of  making  a  secure  forensically  sound  copy  of  digital 
media  that  can  retain  the  data  for  an  extended  period.  “Disk  Imaging  takes  sector-by- 
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sector  copy  usually  for  forensic  purposes  and  as  such  it  will  contain  some  mechanism  to 
prove  that  the  copy  is  exact  and  has  not  been  altered.”  [14]. 

Forensic  media  preparation  is  the  practice  of  wiping  the  target  media  before 
storing  forensics  data  onto  the  forensics  examiner’s  computer.  A  hard  disk  drive  is 
usually  used  as  a  target  media  to  store  collected  data.  A  wiping  process  prevents  collected 
data  on  the  target  media  from  being  “contaminated”  by  previously  collected  evidential 
data.  A  wipe  should  completely  delete  the  existing  data  by  overwriting  all  writable  parts 
of  the  media.  The  Unix  “dd”  command  is  a  common  utility  used  to  wipe  storage  media 
[15],  and  it  can  also  be  used  to  wipe  data  from  internal  flash  memory  in  mobile  phones. 
Write  blockers  are  write-protection  utilities  used  in  the  acquisition  of  digital  forensic  data. 
These  utilities  enable  examiners  to  create  images  of  media  devices  without  the  risk  of 
accidentally  writing  to  the  subject  media  and  thereby  altering  the  contents  [16]. 

Several  forensic  techniques  have  been  developed  to  help  investigations  such  as 
string  search,  memory  forensics,  file  extraction,  feature  extraction,  and  cross-drive 
analysis  [17],  [18],  [19],  [20].  These  techniques  increase  the  utility  of  captured  data  in 
forensics  analysis.  Memory  forensics  analyzes  information  stored  on  volatile  memory, 
internal  memory  inside  a  computer  or  mobile  device  that  requires  power  to  maintain.  The 
data  stored  in  the  memory  changes  frequently  while  the  computer  or  mobile  device  is 
operational,  which  makes  it  hard  to  verify  the  data  collected  from  memory.  This  can  lead 
to  problems  if  the  examiner  wants  to  run  the  acquisition  process  more  than  once  [21]. 

String  searching  is  a  process  of  locating  specific  ASCII  or  Unicode  strings  from 
text  files  and  directories.  These  strings  can  be  names,  phone  numbers,  email  addresses, 
country  codes,  IP  addresses,  or  software  installed  on  a  system.  The  examiner  can  look  for 
any  type  of  key  terms  or  single  words,  but  it  can  also  help  spot  patterns  in  a  system. 
Regular  expressions  can  be  used  to  describe  patterns  in  a  string.  An  example  regular 
expression  is  “/^[a-z0-9_-]/  “  which  will  look  for  any  string  that  begins  (^)  with  a  lower 
case  letter  (a-z)  followed  by  any  number  (0-9)  then  an  underscore  and  a  hyphen. 


8 


B.  MOBILE  FORENSICS 


Mobile  forensics  has  its  own  set  of  acquisition  tools  [22],  [23],  [24].  Imaging, 
forensic  extraction,  memory  forensics,  and  string  searching  can  all  be  applied  to  mobile 
forensics  investigations.  However,  there  are  some  differences.  Hard  disk  drives  can  easily 
be  removed  from  a  computer  system  for  data  acquisition  and  analysis,  and  during  this 
process  the  hard  disk  drives  can  be  protected  using  a  write  blocker  utility.  A  mobile 
device  cannot  be  processed  the  same  way  because  the  internal  flash  memory  is  usually 
soldered  onto  the  circuit  board,  and  removing  the  flash  memory  may  damage  it.  Most 
mobile  forensics  tools  do  not  require  for  the  flash  memory  to  be  removed,  but  connect  the 
phone  directly  into  a  forensics  hardware  tool,  or  plug  the  phone  into  a  computer  system 
running  the  forensics  software  [25].  The  mobile  phone  architecture  is  also  different  from 
a  standard  desktop  computer.  The  mobile  hardware  supports  various  radio 
communications  like  GSM/CDMA,  GPS,  Wi-Fi,  NFC  and  Bluetooth.  This  radio 
communication  capability  will  generate  additional  user  data  on  the  smartphone.  The 
GSM/CDMA  and  GPS  radios  store  geolocation  data.  Wi-Fi,  NFC  and  Bluetooth  may 
store  user  account  login  information  and  passwords.  User  data  are  locally  stored  on  the 
smartphone’s  flash  memory. 

C.  MOBILE  FORENSIC  TOOL  CELLEBRITE  UFED 

A  commercial  forensics  tool  from  Cellebrite  was  used  for  the  data  extraction 
process  in  our  experiments.  The  Cellebrite  UME-36  Pro  is  a  standalone  phone-memory 
transfer  and  backup  solution  that  is  capable  of  extracting  data  from  a  wide  variety  of 
mobile  devices  [26].  There  are  three  key  components  for  this  forensics  tool: 

•  Cellebrite  UME-36  Pro  -  Universal  Memory  Exchanger  1.2.2. 3 

•  Cellebrite  UFED  Physical  Analyzer  3. 7. 2.0 

•  Cellebrite  Phone  Detective  1.2 

The  UME-36  Pro  enables  logical,  password,  SIM,  file-system,  and  physical 
extractions  of  data  from  mobile  devices.  It  is  a  hardware  solution  for  data  extraction.  The 
extracted  data  can  be  viewed  and  analyzed  with  the  UFED  Physical  Analyzer  software. 
UME-36  Pro  claims  to  extract  the  following  data  from  a  smartphone  [27]: 
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•  Call  logs 

•  Contacts 

•  Email 

•  Pattern  locks 

•  Bookmarks 

•  Cookies 

•  Text  strings  from  Short  Message  Service  (SMS)  /  Multimedia  Messaging 
Service  (MMS) 

•  Chat  messages 

•  Location  data  including  cell  tower  locations  and  usage 

•  Web  browser  history  including  records  of  visited  websites 

•  Digital  photography,  digital  videos,  and  audio  files 

•  Text  files 

•  Deleted  data 

•  Wi-Fi  including  connection  times,  base  service  set  identifications  (BSSId), 
service  set  identifiers  (SSID),  and  Security  Modes 

•  GPS  information  added  to  media  files  (geotags) 

The  UFED  Physical  Analyzer  is  software  for  physical  extraction.  This  extraction 
creates  a  single  binary  extraction  file  for  each  embedded  flash  memory  chip,  or  at  least  by 
the  address  range  used  by  the  mobile  device.  Unlike  logical  extraction,  physical 
extraction  can  bypass  the  device’s  operating  system  and  extract  data  directly  from  the 
mobile  device’s  internal  flash  memory.  The  UFED -extracted  data  from  the  device  is 
saved  into  a  hexadecimal  file  that  is  later  read  and  decoded  using  the  UFED  Physical 
Analyzer  application.  The  images  created  from  the  physical  extraction  process  include 
files  deleted  by  the  operating  system  or  user.  The  images  are  saved  with  an  .ufd  extension. 
It  provides  an  overview  of  the  mobile-device  data  with  decoding,  analysis,  and  report 
generation  [28]. 

The  Cellebrite  Phone  Detective  application  helps  investigators  identify  a  mobile 

phone  by  its  physical  attributes,  eliminating  the  need  to  start  the  device  and  risk  device 

lock  or  possible  data  loss.  It  asks  eight  key  questions  regarding  the  phones’  physical 

appearance.  It  provides  the  user  with  a  detailed  extraction  capability  per  device, 
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connectivity  details  and  device  characteristics  [29].  The  eight  visual  elements  used  to 
identify  device  are: 

•  Phone  type  (candy  bar,  clamshell,  slider,  tablet) 

•  Body  (connection  port,  cable,  charging  socket) 

•  Power  button  (power,  volume,  camera,  keypad) 

•  Miscellaneous  (battery  cover  type,  memory  card  slot) 

•  Basic  (Brand  logo:  Apple,  HTC,  Acer,  LG  /  network  technology:  GSM, 
CDMA) 

•  Camera  (type,  location,  flash) 

•  Display  type  (touch,  non-touch,  stylus) 

D.  MOBILE  FORENSIC  TOOL  BULK  EXTRACTOR 

The  forensics  software  Bulk  Extractor  (bulk_extractor- 1.4.  l-windowsinstaller.exe) 
[30]  was  also  used  for  analysis  of  recovered  files.  Bulk  Extractor  is  a  carving  and  feature 
extraction  tool  that  can  be  used  on  all  kinds  of  digital  media.  It  can  scan  disk  images  (raw, 
split-raw,  EnCase  EOl,  AEE),  files  and  directories  to  extract  useful  information  without 
parsing  the  file  system  or  file  system  structures.  The  program  can  extract  phone  numbers, 
email  addresses,  credit  card  numbers  and  UREs  from  inspection  of  file  contents  of  any 
file  or  file  fragments.  It  can  also  collect  data  from  compressed  files  with  ZIP  and  gzip 
algorithms.  The  extractor  is  run  on  a  file  system  and  creates  a  report  directory  with 
feature  files.  Each  feature  file  contains  the  location  the  feature  found,  the  feature  itself, 
and  the  feature  surrounded  by  its  local  context  (e.g.,  email.txt,  url.txt).  The  tool  is 
generally  used  for  file  identification  and  cross-drive  analysis  [31]. 

E.  OTHER  MOBILE  FORENSICS  TOOLS  TESTED 

Several  other  forensics  tools  were  tested  for  this  research  project  before  we 
selected  Cellebrite.  Some  that  offer  similar  features  to  the  Cellebrite  UEED  tools  were  as 
follows. 

viaExtract:  This  is  a  mobile  forensics  tool  developed  and  distributed  by 
viaEorensics  [32].  It  is  designed  for  extracting  and  analyzing  data  from  Android 
smartphones.  It  is  distributed  as  a  standalone  virtual  appliance  that  runs  on  a  VMware 
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workstation.  The  pre-installed  extraction  tools  could  not  properly  analyze  several 
Android  phones.  It  would  often  return  an  error  during  the  extraction  process  on  our  test 
phones. 

Key  features: 

•  Temporarily  or  permanently  remove  a  password/pattern/PIN  lock  on  an 
Android  device  running  OS  2.2  or  higher. 

•  Allow  the  examiner  to  forensically  image  external  (SD)  and  internal 
(EMMC)  storage  cards  directly  from  the  device. 

•  Allow  examiners  an  additional  bypass  option  on  gesture  key  locked 
devices. 

Oxygen  Forensic  Suite  2013:  This  forensics  suite  is  developed  and  distributed  by 
Oxygen  Software  [33].  The  company  specializes  in  forensic  data  examination  tools  for 
smartphones  and  mobile  devices.  The  program  performed  fairly  well  and  could  recovery 
a  large  number  of  files  (images,  video,  system  files,  logs). 

Key  features: 

•  Displays  complete  technical  information  about  the  mobile  device. 

•  Extracts  user  contact  information  with  all  its  data:  name,  occupation, 
phone  numbers,  addresses,  emails,  notes. 

•  Extracts  event  log  data,  phonebook,  messages  (SMS,  MMS,  Emails, 
iMessages). 

•  Eile  browser  analyzes  user  phones,  videos,  documents  and  device 
databases. 

Recuva:  This  is  a  free  program  developed  and  distributed  by  Priform  [34].  It  is  a 
disk  recovery  tool  that  is  capable  of  extracting  files  deleted  or  damaged  on  media  devices. 
The  program  can  recover  a  large  number  of  files  from  the  internal  flash  memory  of  a 
smartphone.  However,  the  program  does  not  provide  an  analysis  tool  for  the  recovered 
data.  This  makes  the  file  analysis  very  difficult.  Several  files  could  not  be  opened  or 
viewed  with  the  program. 

Key  features: 

•  Undelete  files. 

•  Recover  damaged  or  formatted  disks. 
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•  Recover  deleted  emails. 

•  Recover  deleted  iPod  music. 

•  Restore  unsaved  documents. 

•  Perform  deep  scan. 
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IV.  EXPERIMENTS 


A.  CONTROLLED  EXPERIMENT  WITH  TWO  SMARTPHONES 

Two  smartphones  were  used  for  a  controlled  experiment:  an  Apple  iPhone  4S  and 
a  Samsung  Galaxy  Sill.  The  following  protocol  was  used  to  artificially  generate  data 
under  a  controlled  environment. 

•  Log  into  the  Android  phone  with  the  account  forensic.nps  @  gmail.com, 
and  the  iPhone  with  the  account  rsch w  amm  @  nps .  edu . 

•  Connect  to  NPS  wireless  network  (NGSTV224)  and  visit  4  websites  using 
default  browser 

1.  Nps.edu 

2.  Fark.com 

3.  Yahoo.com 

4.  Npr.org 

•  Take  six  pictures  with  built  in  camera:  6  pictures  of  the  numbers  1,  2,  3,  4, 

5.  6.  First  3  image  files  are  left  unaltered.  Second  3  image  files  manually 
renamed: 

o  testschwamm_pic_4 

o  testschwamm_pic_5 

o  testschwamm_pic_6 

•  Access  files  and  links  from  the  following  website: 

http  ://f acuity .  nps .  edu/ncro  we/testsch  wammO  1 1 4 _ doc_s  ample  .docx 

http  ://f acuity .  nps .  edu/ncrowe/testsch  wammO  1 1 4 _ pdf_sample  .pdf 

http  ://f acuity .  nps .  edu/ncrowe/testsch  wammO  1 1 4 _ ppt_s  ample  .pptx 

http  ://f acuity .  nps .  edu/ncro  we/testsch  wammO  1 1 4 _ wav_s  ample .  w  av 

http  ://f acuity .  nps .  edu/ncrowe/testsch  wamm_0 1 1 4_link.  html 
http://faculty.nps.edu/ncrowe/testschwamm_0114_pics.html 
http  ://f acuity .  nps .  edu/ncro  we/testsch  wamm_0 1 1 4_video  .html 
http://facultv.nps.edu/ncrowe/testschwamm01 14  feat.html 

•  Install  the  following  list  of  software  for  Android  phones: 


“Reddit  is  fun” 

https://plav.google.com/store/apps/details?id=com.andrewshu.android.red 

dit&hl=en 

Visit  3  postings  on  www.reddit.com 
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o  “ELIS:  The  Amanda  Knox  Appeal” 

http://www.reddit.eom/r/explainlikeimfive/comments/lwlin9/eli5  the 

amanda  knox  appeal/ 

o  “Why  are  the  wheels  of  NASA’s  Mars  rover,  Curiosity,  wearing  out?” 
http://www.reddit.eom/r/askscience/comments/lwnb8s/whv  are  the 

wheels  of  nasas  mars  rover  curiosity/ 
o  “Hey,  I  am  Nikki  Sixx  from  Motley  Crue,  AMA” 

http://www.reddit.eom/r/IAmA/comments/lwnsxv/hev  i  am  nikki  si 

XX  from  m%C3%B6tlev  cr%C3%BCe  ama/ 

“Facebook” 

https://plav.google.com/store/apps/details?id=com.facebook.katana&hl=e 

n 

Login  and  browse. 

“Google  Drive” 

https://plav. goo  gle.com/store/apps/details?id=com.google. android. apps.do 

cs&hl=en 

Login/sync  and  open  3  files 
o  testschwamm_pptl.pptx 
o  testschwamm_ppt2.pptx 
o  testschwamm_ppt3.pptx 

“DropBox” 

https://plav.google.com/store/apps/details?id=com.dropbox.android&hl=e 

n 

Login/sync  and  open  3  files 
o  testschwamm_docl.docx 
o  testschwamm_doc2.docx 
o  testschwamm_doc3.docx 

“Youtube” 

https://plav. goo  gle.com/store/apps/details?id=com.google. android. youtube 

&hl=en 

Login  and  watch  3  videos 
o  ‘PSY-GANGNAM  STYLE’ 

http://www.youtube.com/watch?v=9bZkp7ql9fO 
o  ‘GIFs,  now  with  sound!  ’ 

http://www.youtube.com/watch?v=CgVpR4KdLRA 
o  ‘BEST  DUBSTEP  CAT !  ’ 

http://www.youtube.com/watch?v=i4SSoWEw5CI 
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“Audible” 

https://plav.goo  gle.com/store/apps/details?id=com.audible.application&hl 

=en 

Login  and  download/listen  to  3  excerpts 
o  Bossypants  (Excerpt) 
o  The  Hunger  Games  (Excerpt) 
o  Matterhorn  (Excerpt) 

“Kindle” 

https  ://plav .  goo  gle .  com/s  tore/apps/details  ?id=com.  amazon  ■kindle&hl=en 

Eogin  and  open  3  PDE  files 
o  testschwamm_articlel.pdf 
o  testschwamm_article2.pdf 
o  testschwamm_article3.pdf 

•  Upload  a  text  document  ‘testschwamm_password.txt’  to  root  directory  of 
each  phone. 

•  Upload  zip  file  containing  above  text  named  ‘testschwamm_userdata.zip’ 
to  root  directory  of  each  phone 

•  Use  the  following  list  of  pre-installed  software  on  iPhone: 


“Youtube” 

Eogin  and  watch  3  videos 
o  ‘PSY-GANGNAM  STYLE’ 

http://www.youtube.com/watch?v=9bZkp7ql9fO 
o  ‘GIFs,  now  with  sound!  ’ 

http://www.youtube.com/watch?v=CgVpR4KdERA 
o  ‘BEST  DUBSTEP  CAT !  ’ 

http://www.youtube.com/watch?v=i4SSoWEw5CI 

“Notes” 

Create  3  note  entries 
o  DVD  Movie  Eist 
o  Shopping  Eist 

o  Test  date  and  homework  due  date 
“Remind  Me” 

Create  3  reminders  different  dates 
o  ‘Reminder  1’  ‘02/01/2014  5:00PM’ 
o  ‘Reminder  2’  ‘03/03/20145  7:00AM’ 
o  ‘Reminder  3’  ‘04/05/2014  1 1:00AM’ 

The  phones  were  not  password  protected  by  the  user  and  no  data  intentionally 
encoded  or  encrypted  by  the  phone,  hollowing  use,  a  factory  reset  was  performed  through 
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the  phone’s  setup  menu  under  “Privacy”  or  “Backup  &  Reset”.  The  reset  menu  lists  all 
data  that  will  be  erased  in  the  process  (User  account,  system  and  application  data  and 
settings,  downloaded  applications,  music,  pictures  and  other  user  data).  The  user  did  not 
have  any  selectable  options  for  the  reset  on  any  of  the  phones.  The  process  takes  a  few 
minutes  after  which  the  phone  restarts  and  resumes  normal  operation. 

Following  factory  reset,  the  phones  were  images  with  the  UME-36  Pro  and  UFED 
Physical  Analyzer.  All  images  were  saved  in  the  tools  proprietary  format  (.ufd). 

A  total  of  61,276  files  were  recovered  from  the  pre-wipe  for  the  iPhone  and 
43,165  from  the  post-wipe.  42,728  files  matched  path  and  contents  from  both  pre-wipe 
and  post-wipe.  Partial  matches  were  deleted  which  produced  17,914  pre-reset  files  and 
115  post-reset  files  that  did  not  match.  36,292  files  had  a  zero  size  from  the  pre-wipe  and 
36,319  files  had  zero  size  from  the  post- wipe.  Executable  “.app”  fdes  found  pre-wipe 
were  24,862,  and  8,062  post- wipe.  Eiles  relating  to  the  operating  system  were  29,812  pre¬ 
wipe  and  27,621  post- wipe. 

Overall,  the  reset  did  a  good  job  of  removing  third-party  software.  All  the  picture 
images  and  text  documents  were  deleted  by  the  reset  with  the  exception  of  some  cache 
and  settings  information  (YouTube,  Eacebook). 

The  Bulk  Extractor  was  used  for  string  search.  A  number  of  preference  and 
configuration  files  were  recovered  after  the  reset  but  none  containing  the  keywords. 
“Preferences”  can  include  private  user  information  [35],  but  none  were  seen  in  the  “.plist” 
preference  files.  Table  3  lists  some  sample  files  remaining  after  the  reset  that  could  be 
interesting  for  forensic  investigations.  The  indirect  information  can  be  collected  and  used 
to  profile  a  user.  A  forensic  investigator  could  determine  where  and  how  the  device  was 
used. 
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File 

Description 

System/InnsbruckTaos  1  lB554a.N90OS/System/Library/PrivateF 
rameworks/Preferences.framework/SupplementalLocaleData.plist 

Focation  and  language 
settings 

System/InnsbruckTaos  1  lB554a.N90OS/usr/share/mecabra/ja 
/rerank.dat 

Resource  rankings? 

Data/Data/Keychains/keychain-2.db 

Keys 

Data/Data/logsdockdownd.log 

Security  event  log 

Data/Data/mobile/Applications/B8AD4B05-25 18-4570-8447- 

7BE2BFDA8F9F/Library 

/Preferences/com.apple.mobilesafari.plist 

Browser  preferences 

Data/Data/mobile/Fibrary  /BulletinBoard/SectionInfo.plist 

Bulletin  board  index 

Data/Data/mobile/Fibrary  /Caches/com.apple. springboard 

/Cache.db-wal 

Screen  cache  for  user 
"wal" 

Data/Data/mobile/Fibrary 

/Cookies/com.apple.itunesstored.2.sqlitedb 

Cookies  for  iTunes 

Data/Data/mobile/Fibrary/Mail  /Content  Index 

Mail  keywords 

Data/Data/mobile/Fibrary/Maps  /Bookmarks. plist 

Map  bookmarks 

Data/Data/mobile/Fibrary 
/Preferences/com.  apple. identityservicesd.plist 

Account  information 

Data/Data/mobile/Media  /PhotoData/changes-shm 

Incremental  photo  data 

Data/Data/root/Fibrary/Caches  /locationd/consolidated.db 

Focation  data 

Data/Data/tmp/MediaCache  /diskcacherepository. plist 

Disk  cache  information 

Table  3.  Sample  files  from  post-wipe  iPhone 


A  total  of  5,141  files  were  recovered  from  the  pre-wipe  for  the  Android  phone 
and  3,578  from  the  post-wipe.  3,292  files  matched  path  and  content  from  both  pre-wipe 
and  post-wipe.  Partial  matches  were  deleted  which  produced  968  pre-wipe  and  65  post¬ 
wipe  that  did  not  match.  227  files  had  a  zero  size  from  the  pre-wipe  and  278  files  had 
zero  size  form  the  post-wipe.  Executable  “.apk”  files  found  pre-wipe  were  396,  and  277 
post- wipe.  Other  executable  files  such  as  “.dex”  files  went  from  140  pre-wipe  to  121 
post-wipe,  “.so”  fdes  from  302  to  254.  The  reset  did  not  delete  any  picture  images  taken 
with  the  camera.  None  of  the  created  text  files  (.txt,  .doc,  .pdf,  .ppt)  was  removed.  Cache 
and  deleted  copies  of  these  file  and  image  components  were  also  not  erased.  Third-party 
applications  were  deleted.  However,  following  the  wipe  we  could  recover  files  from  the 
Kindle  and  DropBox  applications  that  belonged  to  the  user.  These  files  should  have  been 
deleted  along  with  the  application.  The  fact  that  files  from  deleted  applications  were 
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found  post- wipe  implies  that  the  wipe  process  explicitly  deleted  files,  a  topic  that  we  will 
return  to  in  Chapter  V. 

The  Bulk  Extractor  was  used  again  for  additional  string  search.  Website  links 
were  all  deleted  in  the  reset.  However,  the  links  for  the  four  visited  websites  were  found 
in  various  files  pre-wipe.  A  total  of  116  links  were  found  pre-wipe.  It  is  unclear  why 
there  were  so  many  duplicate  links  saved  on  the  phone.  The  wipe  left  most  of  the 
operation  system  files  intact  just  like  the  iPhone  reset.  Table  4  lists  some  sample  files 
remaining  after  the  reset  that  could  be  interesting  for  forensic  investigations. 


File 

Description 

CACHE/Root/recovery  /last_log 

Recovery  log 

SYSTEM/Root  /addon. d  /blacklist 

Eour  MD5  hash  values 

S  Y  STEM/Root/etc/apns-conf.xml 

Phone  carrier  IP  address 

S  Y STEM/Root/etc  /audio_policy  .conf 

Attached  audio  devices 
listing 

S  Y  STEM/Root/etc/gps  .xml 

GPS  settings 

USERDATA/Root/backup 
/pending/journal21 14683955. tmp 

Data  backup 

USERDATA/Root/data/com.android.providers.calendar/database 

s/calendar.db 

Calendar  data 

USERDATA/Root/data/com.android.deskclock/databases/alarms. 

db 

Alarm  data 

USERDATA/Root/media/0  /amazonmp3/temp/log.txt 

Eog  file  of  Amazon 

Cloud  Player 

USERDATA/Root/media/O/Android/data/com.andrew.apollo/cac 
he/ImageCache/39 1  Ob  1  eOccab  1 9bc46fd9db27cca49c9 .0 

Image  cache  data 

USERDATA/Root/media/0/iPhone3G.2013-l  1-07. 16-39- 

Database  script  of  ours. 

30/Email/108/478/1256.sql 

unclear  how  it  got  here 

USERDATA/Root/misc  /wifi/softap.conf 

Access  point  data 

USERDATA/Root/system/users/userlist.xml 

User  ID  information 

USERDATA/Root/drm  /fwdlock/kek.dat 

Eock  data 

USERD  AT  A/Root/media/O/And-roid/data/com.dropbox. android 

Document  of  previous 

/files/scratch/09thesis_regan.pdf 

phone  user 

Table  4.  Sample  files  from  post-wipe  Android  phone 


Some  smartphones  provide  several  variations  for  reset.  A  “hard  reset”  can  be 
performed  by  using  the  hardware  keys  (by  a  procedure  specific  to  each  device).  Newer 
iPhones  provide  the  additional  reset  options  “Reset  All  Settings,”  “Reset  Network 
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Settings,”  “Reset  Keyboard  and  Dictionary,”  “Reset  Home  Screen  Layout,,  and  “Reset 
Location  and  Memory”.  All  of  these  options  were  used  and  a  new  post-wipe  image  was 
generated.  These  options  deleted  an  additional  222  files  from  the  phone  but  did  not  delete 
any  files  listed  in  Table  3.  The  additional  reset  options  did  not  produce  any  significant 
further  deletions. 

The  hard  reset  on  the  Android  phone  gave  an  additional  option  for  a  “cache  resef ’. 
This  option  was  used  and  a  new  post- wipe  image  was  generated  just  like  the  iPhone.  It 
did  not  delete  any  text  and  media  files  put  on  the  device;  it  only  deleted  the  sixth  file  of 
the  files  in  Table  4.  Four  files  with  the  “db”  extension  were  deleted.  The  reset  added  an 
additional  six  fdes  (two  Bluetooth  cache,  four  “telephony”),  but  did  not  do  much  beyond 
the  regular  reset. 

B.  EXPERIMENT  AND  DATA  EXTRACTION 

Two  sets  of  smartphones  were  used  for  the  main  experiment.  The  first  set  of 
Apple  iPhone  images  was  created  by  the  UME-36  Pro  and  UFED  Physical  Analyzer. 
These  images  were  taken  from  the  Real  Data  Corpus  [36],  a  large-scale  forensic  corpus. 
All  images  were  generated  from  legally  obtained  smartphones  used  by  real  people.  The 
second  set  was  of  various  smartphones  (iPhone,  Android,  Blackberry)  that  had  been  used 
for  other  research  projects  at  our  school.  These  phones  did  not  have  a  SIM  card  installed 
on  them.  SIM  cards  contain  a  unique  identification  number  associated  with  the  user’s 
mobile  account  and  contain  the  phone  number,  security  data  and  billing  information; 
phone  calls  cannot  be  made  without  a  SIM  card,  but  otherwise  the  phone  will  function 
normally.  A  few  of  the  phones  came  with  a  custom  Android  operating  system 
(CyanogenMod  10.1),  a  custom  aftermarket  firmware  based  on  the  Android  Open  Source 
Project  [37]  [38].  The  same  protocol  was  used  to  generate  data  but  no  accounts  were 
associated  with  the  Blackberry  phones.  A  Python  script  was  written  to  convert  the 
Cellebrite  proprietary  XME  report  format  to  the  forensic  metadata  standard  DEXME  [39]. 
A  taxonomy  created  [40]  was  used  to  classify  files  by  extension  and  directory  path.  The 
full  list  of  smartphones  and  the  status  is  listed  in  Table  5. 
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# 

Smartphone 

OS  Version 

Readiness 

11 

Apple  iPhone  4 

iOS  5.1.1 

OK 

12 

Apple  iPhone  4 

iOS  5.1.1 

OK 

13 

Apple  iPhone  2 

iOS  3.1.3 

OK 

14 

Apple  iPhone  2 

iOS  3.1.3 

OK 

15 

Apple  iPhone  2 

iOS  3.1.3 

OK 

16 

Apple  iPhone  2 

iOS  3.1.3 

OK 

17 

Apple  iPhone  2 

iOS  3.1.3 

OK 

18 

Apple  iPhone  2 

iOS  3.0 

OK 

19 

Samsung  Galaxy  Sill 

CyanogenMod  10.1 

Hard  reset 

AlO 

Samsung  Nexus 

CyanogenMod  10.1 

OK 

All 

Samsung  Galaxy  Anycall 

Android  1.5 

OK 

A12 

Motorola  Atrix  4G 

Android  2.2 

OK 

A13 

HTC  Droid  Eris 

Android  2. 1 

OK 

A14 

HTC  Magic 

Android  1.6 

Hard  reset 

A15 

HTC  Flyer  (tablet) 

Android  3.2 

OK 

A16 

HTC  One 

Android  4. 1 

OK 

B17 

BlackBerry  8900  Curve 

BlackBerry  OS  4 

Unusable  after  reset 

118 

Apple  iPhone  4S 

iOS  5.1.1 

OK 

119 

Apple  iPhone  2G 

iOS  3.13 

Unusable  without  SIM  card 

B20 

BlackBerry  8100  Pearl 

BlackBerry  OS  4.5.0.174 

OK 

B21 

BlackBerry  8300  Curve 

BlackBerry  OS  4.5.0.162 

OK 

A22 

Motorola  FIRE 

Android  2.3.4 

Unrecognized  by  Cellebrite 

A23 

Huawei  U8500 

Android  2. 1 

OK 

A24 

Huawei  U8150  IDEOS  Comet 

Android  2.2 

Unusable  after  reset 

A25 

Dell  XCD35 

Android  2.2 

OK 

126 

Apple  iPhone  2 

iOS  3.1.3 

Unusable  after  reset 

A27 

Motorola  Charm 

Android  2. 1 

Totally  dead 

p28 

LG-500GHL 

Unknown 

Unrecognized  by  Cellebrite 

Table  5.  Full  list  of  smartphone  and  status  (from  [41],  [42]). 


Table  6  list  the  total  counts  of  pre-wipe  and  post-wipe  files.  A  large  number  of 
files  were  not  affected  by  the  reset.  There  were  four  types  of  partial  matches  between  pre¬ 
wipe  and  post-wipe  files  (File  name  and  hash,  Hash  only.  File  path  only.  Path  ignoring 
digits).  Several  unmatched  files  were  found  post-wipe  which  appear  to  be  new  records 
created  by  the  operating  systems  activity  and  reset  feature.  The  factory  reset  does  not 
completely  wipe  a  device.  Several  files  are  removed  during  the  reset  but  others  are  just 
renamed  and  additional  new  files  are  added  after  the  reset. 
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File  count  type 

Pre-reset 

Post-reset 

Total  files 

349,915 

200,987 

iPhone  files 

299,058 

176,907 

Android  files 

50,846 

24,058 

Exact  matches  pre-wipe  and  post- wipe 

140,320 

140,320 

Subsequent  matches  on  filename  and  hash  value  but  not 
all  directories 

34,228 

36,540 

Subsequent  matches  on  hash  value  alone 

9,269 

12,911 

Subsequent  matches  on  full  path  alone 

2,849 

2,836 

Subsequent  matches  on  full  path  ignoring  digits  alone 

6,448 

256 

Remaining  unmatched 

156,801 

8,124 

Table  6.  Summary  data  from  21  smartphones 


The  file  taxonomy  was  used  to  further  investigate  what  types  of  files  are  being 
removed  in  the  reset.  The  full  results  are  listed  in  Table  7.  Each  file  path  is  classified  by 
file  extension  (E)  and  directory  name  of  the  file  (D).  8,346  extensions  and  6,445  directory 
names  have  a  classification.  The  rest  are  labeled  as  “miscellaneous”.  Extensions  that  are 
longer  than  10  characters  are  ignored. 

The  reset  appears  to  focus  on  video  and  picture  images,  text  documents,  copies 
and  temporary  files,  disk  images,  log  files,  XME  documents  and  gaming  applications. 
There  is  a  smaller  emphasis  on  database  files,  compressed  data,  audio,  source  code  and 
data  directories.  The  reset  seem  to  target  applications,  picture  images  and  temporary  files, 
but  not  as  focused  on  long-term  user  data.  The  reset  does  not  remove  explicitly  deleted 
and  zero-size  files  (which  have  no  content  but  do  have  filename  and  dates).  Zero-size 
files  may  not  be  useful  for  the  applications,  but  could  provide  partial  user  information. 
An  empty  log  file  could  indicate  the  user  is  not  using  a  particular  category  or  parameter 
in  an  application. 

A  clear  time  pattern  could  not  be  created  because  the  phones  were  used  in  various 
time  periods.  The  Physical  Analyzer  software  also  created  some  issues  while  analyzing 
the  recovered  data.  Different  versions  of  the  Physical  Analyzer  would  produce  different 
results  from  the  same  image.  The  file  access  and  creation  time  would  be  reported 
differently  depending  on  the  Physical  Analyzer  version,  and  the  root  directory  name 
would  change  between  two  different  Physical  Analyzer  versions. 
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Type  of  file  extension  (E)  or  directory  (D) 

Pre-wipe 

Post-wipe 

E:  No  extension 

36561 

21078 

E:  Operating  system 

106168 

104406 

E:  Graphics 

98618 

27522 

E:  Camera  pictures 

15443 

3967 

E:  Temporaries 

733 

159 

E:  Web  pages 

1418 

680 

E:  Documents 

3089 

1233 

E:  Database 

5627 

2377 

E:  Spreadsheets 

425 

356 

E:  Compressed 

601 

278 

E:  Audio 

16427 

8313 

E:  Video 

303 

90 

E:  Source  code 

1791 

736 

E:  Executable 

3432 

2856 

E:  Disk  image 

13828 

1932 

E:  Log 

599 

73 

E:  Copies  and  backup 

7347 

905 

E:  XML 

5193 

1045 

E:  Configuration 

20788 

18379 

E:  Games 

3741 

1048 

E:  Miscellaneous 

7307 

3536 

D:  Root 

1012 

966 

D:  Operating  system 

122625 

117701 

D:  Hardware 

1128 

319 

D:  Temporaries 

12141 

2928 

D:  Pictures 

17950 

4328 

D:  Audio 

10812 

7814 

D:  Video 

2570 

0 

D:  Web 

2714 

277 

D:  Data 

18300 

9771 

D:  Programs 

3616 

2876 

D:  Documents 

6211 

1036 

D:  Sharing 

7500 

2368 

D:  Security 

2953 

2749 

D:  Games 

53722 

0 

D:  Applications 

84593 

46696 

D:  Miscellaneous 

2046 

1126 

“.DELETED.”  in  path(*) 

20087 

4181 

Zero-size  files 

120112 

128026 

Table  7.  File  type  counts  before  and  after  the  factory  reset. 


(*)  Paths  containing  the  word  “.DELETED”  were  found  on  the  phone. 
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The  data  collected  from  the  Physical  Analyzer  are  listed  in  Table  8  and  9.  The 
Physical  Analyzer  categorizes  each  data  type  and  groups. 

Phone  Data: 

•  Application  Usage:  Applications  name,  number  of  launches,  activations, 
active  time,  and  date 

•  Call  Log:  Caller  phone  number,  time  stamp,  duration,  and  type 
(incoming/outgoing/missed) . 

•  Contacts  Cookies:  Contacts  name,  organizations,  phone  number,  emails, 
other  entries,  notes,  and  addresses. 

•  Installed  Applications:  Application  name,  version,  identifier,  App  ID, 
purchase  date,  and  delete  date. 

•  IP  Connections:  Timestamp,  domain,  router  address  MAC  address. 
Cellular  WAN,  Device  IP,  DNS  address,  and  service  name. 

•  Locations:  Timestamp,  position,  and  name. 

•  Maps:  Source,  zoom  level,  and  tiles. 

•  Passwords 

•  SMS  messages:  Timestamp,  folder  (drafts,  inbox,  sent),  phone  number, 

text  string,  and  status  (unsent,  sent,  or  read). 

•  User  Accounts:  Name,  user  name,  password,  and  service  type. 

•  User  Dictionary:  Word,  locale,  and  bookmark  note. 

•  Wireless  Networks:  Last  connected,  BSSId,  SSId,  and  Security  Mode 


Data  Files: 

•  Picture  Images  (png,  jpg).  Audio  (wav,  mp3).  Text  (html,  txt,  xml). 
Databases  (db,  sqliteS,  itdb).  Configuration  (plist),  or  Application  (jar, 
apk,  ipa). 

•  Name,  path,  size,  metadata,  created,  modified,  accessed,  and  bookmark 
note. 
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II 

12 

13 

14 

15 

16 

17 

18 

Phone  Type 

I 

I 

I 

I 

I 

I 

I 

I 

Application  Usage 

0/0 

0/0 

1/199 

0/0 

1/125 

1/56 

9/23 

0/23 

Call  Log 

0/0 

0/2 

0/103 

0/0 

0/107 

0/104 

0/13 

0/105 

Contacts 

0/0 

0/0 

0/209 

0/0 

0/1461 

0/2366 

0/0 

0/284 

Cookies 

0/0 

0/0 

0/5 

0/0 

0/0 

0/43 

0/0 

0/6 

Installed 

Applications 

34/34 

34/34 

23/127 

28/34 

23/142 

23/56 

0/24 

0/79 

IP  Connections 

0/2 

0/2 

0/2 

0/1 

0/0 

0/1 

0/0 

0/7 

Locations 

0/0 

0/0 

0/1 

0/0 

0/0 

5/10 

0/0 

0/72 

Maps 

0/0 

0/0 

0/12 

0/0 

0/0 

0/2 

0/0 

0/19 

Passwords 

0/6 

0/5 

0/0 

0/1 

0/0 

0/0 

0/0 

0/0 

SMS  Messages 

0/0 

0/2 

0/30 

0/0 

0/1152 

0/50 

0/0 

0/672 

User  Accounts 

0/0 

1/1 

1/1 

1/1 

1/1 

1/6 

1/1 

1/3 

User  Dictionary 

0/0 

0/1 

0/161 

0/0 

0/30 

0/312 

0/0 

0/819 

Wireless 

Networks 

0/0 

1/1 

0/1 

0/0 

0/0 

0/0 

0/0 

0/0 

Images 

3714/3716  3715/3716  2488/16541  2631/2716  2488/25106  5888/14477  2491/2611  2488/13705 

Audio 

1/1 

1/1 

2/2512 

1/1 

2/1202 

2/1 125 

2/2 

2/1120 

Text 

159/161 

159/164 

11/392 

20/34 

11/1689 

12/67 

12/21 

12/135 

Databases 

31/38 

32/43 

13/60 

21/50 

23/54 

12/63 

13/24 

23/55 

Configurations 

2797/2969  2831/2959  1349/4798 

1976/2969  1352/6978 

1345/2237 

1348/1382  1349/10930 

Applications 

6/6 

6/10 

164/489 

227/304 

164/458 

164/200 

164/310 

164/670 

Table  8.  The  number  represents  user  data  and  system  data  on  smartphones  part  1. 

(post-wipe/pre- wipe)  I=iPhone,  A=Android,  B=BlackBerry 
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A9 

AIO 

All 

AI2 

AI3 

AI4 

AI5 

AI6 

118 

B20 

B2I 

A25 

Phone  Type 

A 

A 

A 

A 

A 

A 

A 

A 

I 

B 

B 

A 

Application  Usage 

0/0 

1/139 

0/0 

0/102 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Call  Log 

0/0 

0/0 

0/0 

0/52 

0/5 

0/6 

0/0 

7/192 

0/1 

0/100 

0/11  0/61 

Contacts 

0/0 

0/5 

0/0 

0/48 

0/0 

0/2 

0/0 

0/65 

0/0 

0/477 

0/0 

5/252 

Cookies 

0/0 

0/3 

0/0 

0/0 

0/0 

0/5 

0/0 

0/0 

0/17 

0/0 

0/0 

0/16 

Installed 

Applications 

30/30 

48/102 

25/43  23/32 

26/70  20/24  12/44  0/0 

34/34 

0/0 

0/0 

0/1 

IP  Connections 

0/0 

0/2 

0/0 

0/3 

0/0 

0/1 

0/0 

0/0 

1/6 

0/0 

0/0 

0/0 

Locations 

0/0 

0/0 

0/5 

0/0 

0/10 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/9 

Maps 

0/15 

0/5 

0/8 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Passwords 

0/0 

0/0 

0/0 

0/1 

0/0 

0/1 

0/1 

0/0 

5/9 

0/0 

0/0 

0/1 

SMS  Messages 

0/80 

0/5 

0/0 

0/121 

0/0 

0/2 

0/0 

0/66 

0/0 

0/4 

0/0 

0/76 

User  Accounts 

1/1 

1/1 

0/0 

0/0 

0/1 

0/1 

0/0 

0/1 

1/1 

0/0 

0/0 

0/2 

User  Dictionary 

0/132 

0/50 

0/0 

0/84 

0/40 

0/1 

0/0 

0/0 

0/6 

0/0 

0/0 

0/2 

Wireless  Networks 

0/1 

0/1 

0/0 

0/1 

0/0 

0/0 

0/1 

0/0 

3/7 

0/0 

0/0 

0/1 

Images 

150/150  764/764  11/11  1815/1815  42/42  15/15  9/9 

616/616  3716/3743  0/7 

0/3  71/159 

Audio 

1/1 

1/1 

1/1 

1/1 

0/0 

2/2 

2/2 

82/82 

1/1 

0/1 

0/0 

1/1 

Text 

130/130 

48/48 

0/0 

132/132 

1/1 

0/0 

4/4 

1/1 

243/263 

0/0 

0/0  440/3031 

Databases 

5/65 

12/45 

0/0 

25/41 

0/0 

10/24  0/0 

16/36 

37/58 

0/0 

0/0 

24/55 

Configurations 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

2850/2953 

!  0/0 

0/0 

0/0 

Applications 

0/0 

313/313 

0/0 

7/7 

3/3 

1/1 

24/24  0/3 

6/6 

0/0 

0/0  388/390 

Table  9.  The  number  represents  user  data  and  system  data  on  smartphone  part  2 
(post-wipe/pre- wipe)  I=iPhone,  A=Android,  B=BlackBerry 
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C.  ISSUES  WITH  THE  SMARTPHONES 

The  factory  reset  was  performed  without  any  problems  on  most  of  the 
smartphones.  However,  on  the  HTC  Magic  (A14)  and  Samsung  Galaxy  Sill  (A9)  the 
smartphones  locked  up  after  the  reset.  The  HTC  Magic  was  running  a  standard  Android 
1.6  operating  system  and  the  Samsung  Galaxy  Sill  was  running  a  custom  CyanogenMod 
10. 1  operating  system.  A  hard  reset  on  the  HTC  Magic  and  a  custom  reset  had  to  be 
performed  on  the  Samsung  Galaxy  Sill  running  CyanogenMod  10. 1  to  recover  normal 
operations.  Holding  down  the  volume  up  button  and  the  power  button  at  the  same  time 
performs  a  hard  reset,  but  does  not  remove  any  applications  or  user  data  from  the 
smartphone.  After  the  hard  reset  the  factory  reset  did  not  cause  any  further  problems.  The 
cause  of  the  lockup  could  not  be  determined. 

The  factory-reset  on  the  BlackBerry  8900  Curve  (B17),  Huawei  U8150  Comet 
(A24)  and  Apple  iPhone  2  (126)  made  the  devices  unusable  after  the  restart.  The  device 
could  not  be  properly  restarted  or  became  unstable.  The  Motorola  Charm  (A27)  could  not 
be  charged  or  booted  and  appeared  to  be  unusable. 

The  HTC  Eris  (A  13)  could  not  be  properly  processed  without  a  micro  SD  card 
and  installed  on  the  phone.  The  Apple  iPhone  2G  (119)  could  not  be  used  without  a  SIM 
card.  Both  the  UME36-Pro  and  UEED  Physical  analyzer  returned  an  error  when  there 
was  no  micro  SD  or  SIM  card  in  the  phone.  A  compatible  micro  SD/SIM  card  was  not 
available  at  the  time  of  the  experiment.  These  two  phones  were  the  only  ones  that 
produced  this  error.  The  cause  of  the  error  could  not  be  determined. 

The  Motorola  EIRE  (A22)  and  EG-500GHE  (p28)  was  not  recognized  by 
Cellebrite.  The  Motorola  EIRE  is  running  the  Android  OS  2.3.4  and  is  officially 
supported  by  UEED  Touch  Ultimate.  The  EG-500GHE  is  a  prepaid  phone  with  a 
proprietary  operating  system  by  EG.  None  of  the  forensics  tools  tested  was  able  to 
identify  or  extract  data  from  these  phones.  This  could  be  due  to  the  proprietary  operating 
system  installed  on  the  EG  phone. 
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The  HTC  One  returned  the  same  results  for  most  of  the  tools  tested.  There  is  an 
important  difference  between  the  HTC  One  and  the  other  smartphones  used  in  this 
project.  When  a  smartphone  is  connected  (via  USB)  to  a  computer  system  it  is  mounted 
as  a  USB  mass  storage  device.  The  HTC  One  and  several  newer  Android  phones  (4.0  and 
up)  are  connected  using  a  different  protocol  developed  by  Microsoft  called  the  Media 
Transfer  Protocol  (MTP)  [43].  The  computer  sees  the  attached  smartphone  as  a  media 
player  while  connected  with  MTP.  The  different  mounting  protocols  created  conflict  with 
the  forensics  tools  used  for  this  project.  However,  during  this  research  project  we  were 
able  to  gain  access  to  a  newer  Cellebrite  hardware  solution,  the  Cellebrite  UFED  Touch 
Ultimate  [44],  an  updated  version  of  the  UME-36  Pro.  It  provides  a  touchscreen  interface 
with  Windows  XP  running  as  the  base  operating  system.  It  provides  the  same 
functionality  with  a  wider  range  of  supported  mobile  devices.  The  UFED  Touch  Ultimate 
is  capable  of  extracting  data  from  MTP  devices  and  was  used  for  the  HTC  One  (Alb). 

D.  DATA  ANALYSIS  WITH  THE  PHYSICAL  ANALYZER 

A  list  of  extracted  data  was  created  and  viewed  in  the  Physical  Analyzer 
application.  All  phones  listed  in  Table  8  and  9  were  used  (Android,  IPhone,  BlackBerry). 
Phone  data  (traditional  telephone  usage  information)  in  both  sets  was  almost  completely 
removed  after  a  factory  reset,  including: 

•  Call  log 

•  Contacts 

•  Cookies 

•  IP  connections 

•  SMS 

•  Maps 

•  Password 

•  User  directory 

Application  Usage  data  were  limited  to  system  applications  and  did  not  contain 
any  user  information.  System  applications  are  indicated  by  the  identifier  com.apple.XX 
for  iOS  and  com.google.XX  for  Android.  A  list  is  generated  by  the  Physical  Analyzer. 
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Installed  Applications  data  left  on  the  phones  were  default  first-party  applications 
such  as  maps,  YouTube,  mobile  mail,  calculator,  weather,  preferences,  and  mobile  notes. 
The  same  system  application  identifiers  were  used  to  verify  first-party  applications.  There 
were  no  third-party  applications  left  on  the  phones  after  a  factory  reset.  However,  the 
number  of  installed  applications  on  post-wipe  phones  varied.  The  Physical  Analyzer 
could  not  identify  any  user-installed  applications  on  the  17  and  18  iPhones  after  the 
factory  reset.  The  system  applications  and  first-party  applications  are  not  supposed  to  be 
removed  after  a  factory  reset.  The  Physical  Analyzer  showed  zero  entries  after  the  wipe. 
This  means  the  UME-36  Pro  could  not  properly  identify  the  applications.  The  reasons  are 
unknown  as  to  why  the  UME-36  Pro  failed  to  identify  the  installed  applications. 

Eocation  data  were  only  left  on  the  16:  Apple  iPhone  2.  The  data  contained 
latitude  and  longitude  (18.47717,  73.87550  -  Pune,  India)  information  for  a  cell  tower 
and  a  time  stamp  (3/24/2011  7:44:24AM).  This  can  be  considering  sensitive  user 
information  since  it  reveals  the  time,  date,  and  location  of  where  the  user  has  been. 

User  Accounts  and  Wireless  Networks  data  was  recovered  from  a  number  of 
phones  but  it  did  not  contain  any  identifiable  information.  Entries  were  listed  in  the 
Physical  Analyzer  but  it  did  not  contain  any  data  (user  name,  email,  BSSId,  SSId, 
password).  It  identified  a  previously  existing  account,  but  could  not  recover  any 
additional  user  or  network  data.  The  account  information  could  have  been  encrypted  or 
encoded  after  the  reset. 

JPEG  and  PNG  image  files  were  not  removed  from  any  of  the  Android  phones  by 
the  factory  reset.  All  picture  images  (downloaded,  camera,  and  browser  thumbnails)  are 
supposed  to  be  removed  after  a  reset.  All  picture  images  were  left  on  those  phones 
untouched  and  were  still  viewable  within  the  smartphone.  The  6  images  added  before  the 
reset  was  also  left  untouched  and  viewable  in  the  smartphone.  The  iPhones  did  a  better 
job  at  wiping  the  images  and  none  of  the  image  files  including  thumbnails  were  viewable 
after  the  factory  reset.  However,  the  metadata  (name,  file  path,  size,  created,  modified, 
accessed)  for  the  images  were  still  viewable  in  the  Physical  Analyzer. 

Audio  data  was  not  removed  from  any  of  the  Android  set,  including  .wav  audio 
files  from  applications  and  user-downloaded  files  (.mp3).  The  iPhone  set  deleted  most  of 
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the  audio  files,  but  some  .wav  files  were  still  recoverable.  The  files  recovered  from  the 
iPhones  included  system  audio  files  (e.g.  ring  tones)  and  notification  sound  clips  that  had 
been  installed  by  third-party  software.  All  recovered  audio  files  could  be  played  back  on 
a  media  player. 

Text  data  were  not  removed  from  any  of  the  Android  set.  The  file  types  that  were 
recognized  as  data  were  files  with  .txt  and  .xml  extensions.  The  iPhones  did  delete  some 
text  files,  but  the  same  types  of  files  were  recovered.  Recovered  .xml  files  contained 
readable  string  data  such  as  domain  names  and  IP  addresses  associated  with  user 
activities.  Text  files  contained  various  notes  or  memos  created  by  the  user. 

Database  data  (.db,  sqlite,  .sql)  recovered  from  both  sets  contained  no  data.  The 
results  were  similar  to  the  user  accounts  data  and  wireless  network  data.  The  metadata 
(name,  file  path,  size,  creation  time,  modification  time,  and  access  time)  was  viewable 
after  the  factory  reset  but  no  data  was  stored  in  the  files. 

Configuration  data  recovered  from  the  iPhones  only  contained  system-file  access 
data.  The  access  information  appears  to  be  the  same  data  as  the  Applications  files.  Data 
was  not  recoverable  from  any  of  the  Android  set,  but  this  could  be  due  to  the  fact  that  the 
same  information  is  already  in  the  Applications  files.  The  recovered  data  did  not  contain 
any  user  information. 

Applications  data  only  contained  information  from  first-party  software  installed 
on  the  phone.  The  data  contained  various  framework,  library,  and  plug-in  information  for 
system  software.  No  user  data  was  stored  in  the  applications  files.  The  application  data  on 
the  Alb  Android  phone  contained  user  account  information  before  the  wipe.  The 
Physical  Analyzer  labeled  it  as  installed  applications.  This  was  the  only  data  that  was 
mislabeled.  The  data  was  cleared  after  a  reset  and  did  not  contain  any  user  account 
information.  It  is  unclear  why  the  Physical  Analyzer  mislabeled  this  information. 

Each  file  that  contained  user-generated  data  was  counted  and  summarized  in 
Table  10  and  Table  11.  The  numbers  indicate  the  total  number  of  files  found  with  user 
data. 
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II 

12 

13 

14 

15 

16 

17 

18 

Data  Files: 

Images 

0 

0 

0 

0 

0 

0 

0 

0 

Audio 

0 

0 

1 

0 

0 

0 

0 

0 

Text 

1 

2 

5 

7 

1 

1 

1 

1 

Databases 

0 

0 

0 

0 

0 

0 

0 

0 

Configurations 

0 

0 

0 

0 

0 

0 

0 

0 

Applications 

0 

0 

0 

0 

0 

0 

0 

0 

Table  10.  User  data  files  found  in  the  smartphones  part  1 


A9 

AIO 

All 

A12 

A13 

A14 

A15 

A16 

118 

A20 

B21 

A25 

Data  Files: 

Images 

5 

61 

10 

1698 

42 

15 

5 

616 

0 

0 

0 

6 

Audio 

0 

0 

0 

0 

0 

2 

0 

15 

0 

0 

0 

0 

Text 

1 

4 

1 

7 

0 

0 

1 

0 

1 

0 

0 

4 

Databases 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

Configurations 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

Applications 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

Table  11.  User  data  files  found  in  the  smartphones  part  2 


E.  STRING  SEARCHING  WITH  LINUX  GREP  COMMAND 


•  String  searching  was  used  for  additional  analysis  of  recovered  files. 
During  the  analysis  process  with  the  Physical  Analyzer,  we  searched  for 
some  keywords  of  interest  in  data  files: 

•  password 

•  root  certificate 

•  hash 

•  cert 

•  SHAl 

•  MD5 

•  SSL 

The  standard  Linux  grep  [45]  command  was  used  to  search  for  the  keywords. 
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The  A 10  Android  phone  was  the  only  one  that  returned  a  value  with  the 
“password”  keyword,  and  this  should  have  been  deleted  by  the  factory  reset.  This  is  one 
of  the  phones  with  a  custom  CyanogenMod  10.1  installed.  An  .xml  file  under  the 
Cyanogen  system  directory  contained  several  entries  with  website  URLs  and  user  names 
with  passwords  stored  in  clear  text  that  should  have  been  deleted.  The  other  phones  did 
not  contain  any  password  information.  All  phones  returned  at  least  one  file  that  contained 
the  “root  certificate”  phrase.  The  files  contained  characters  varying  in  length  between 
115-144.  It  is  unclear  if  this  is  the  default  trusted  certificate  installed  with  the  operating 
system  or  if  it  is  part  of  third-party  software  that  used  certificates.  In  the  latter  case  the 
data  should  have  been  deleted.  The  information  included  in  the  files  could  not  be 
identified  as  user  data.  Searches  for  the  strings  “hash”,  “cert”,  “SHAl”,  “MD5”,  and 
“SSL”  did  not  return  any  significant  results.  These  keywords  only  occurred  in 
configuration  files,  which  did  not  contain  any  user  data. 

Searching  for  the  “hash”  keyword  did  not  return  anything  significant,  but 
searching  for  “HASH”  returned  some  interesting  results.  The  “HASH”  keyword  still 
occurred  in  configuration  files  for  iPhones  but  the  files  were  always  associated  with  an 
application  called  Rocky  Racoon  on  the  iPhones  13, 14, 15, 16, 17,  and  18.  This  application 
is  used  exclusively  with  jailbroken  iPhones  [46].  Jailbreaking  is  the  process  of  using  a 
hardware  or  software  exploit  to  break  the  restrictions  on  the  iPhones  file  system  [47].  A 
jailbroken  iPhone  grants  the  user  root  access  to  the  iOS  operating  system.  Once  the 
iPhone  is  jailbroken  it  can  be  freely  modified.  The  user  can  install  unauthorized  third- 
party  applications,  plugins  and  themes  on  the  iPhone.  It  also  allows  the  user  to  switch 
mobile  carriers  without  any  restrictions.  Jailbreaking  a  phone  also  exposes  the  user  to 
various  security  risks.  Unauthorized  software  runs  the  risk  of  damaging  or  disabling  the 
iPhone.  This  may  have  affected  the  data  on  the  iPhones.  It  is  not  clear  if  these  iPhones 
have  been  jailbroken.  However,  there  is  a  high  chance  they  were  since  the  Rocky  Racoon 
software  is  only  used  with  jailbroken  iPhones. 


33 


F. 


DATA  ANALYSIS  WITH  BULK  EXTRACTOR 


The  Bulk  Extractor  tool  (Ver.  1.4.1:  Windows  installer  with  GUI)  was  used  to 
verify  some  of  the  user  data  generated  from  the  experiment  procedures.  The  smartphone 
images  created  from  the  physical  extraction  process  (.ufd)  were  not  compatible  with  Bulk 
Extractor  and  needed  to  be  converted.  A  full  dump  of  the  file  system  was  created  from 
the  .ufd  images  using  the  Physical  Analyzer.  Each  .ufd  image  generated  a  directory  of 
files,  which  was  run  on  the  Bulk  Extractor. 

The  ‘url_histogram.txt’  generated  by  the  extractor  showed  that  all  website 
(youtube.com,  facebook.com,  reddit.com,  faculty.nps.edu)  links  were  deleted  in  the  reset. 
Duplicate  links  for  the  four  visited  websites  (nps.edu,  fark.com,  yahoo.com,  npr.org) 
were  found  in  various  files  on  pre-wipe  iPhones.  It  is  unclear  why  there  were  duplicate 
links  saved  on  iPhones.  None  of  the  other  phones  contained  multiple  copies  of  the  same 
links. 

Preference  and  configuration  files  (.plist)  were  recovered  from  most  of  the  phones 
except  for  the  BlackBerry  phones  (B20,  B21)  after  the  reset.  None  of  the  files  contained 
user  information.  Setting  information  was  checked  in  the  ‘json.txt’  file  generated  by  the 
extractor. 

The  zip  file  uploaded  to  the  root  directory  ‘testschwamm_userdata.zip’  was  not 
deleted  from  any  of  the  Android  phones  and  the  text  file  ‘testschwamm_password.txt’ 
can  be  viewed  in  the  ‘zip.txt’  generated  by  the  extractor. 

During  the  keyword  search  several  files  containing  the  word  ‘DELETED’ 
appeared  in  the  ‘Feature  File’  results  window.  The  Bulk  Extractor  displayed  some  text 
files  (.txt)  that  included  the  word  ‘DELETED’  as  part  of  the  file  name.  None  of  these 
files  contained  any  readable  data  and  were  all  located  at  the  top-level  directory.  The 
Physical  Analyzer  could  not  find  any  of  these  tagged  files.  It  became  clear  that  further 
investigation  was  needed  to  determine  if  any  more  user-generated  data  were  not  properly 
identified  by  the  Physical  Analyzer.  The  following  common  file  extensions  [48]  were 
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used  for  a  string  search  against  the  full  file  system  dump.  The  same  grep  command  was 
used  to  search  for  these  common  file  extensions. 

•  Text  files  (doc,  docx,  log,  msg,  odt,  pages,  rtf,  tex,  txt,  wpd,  wps) 

•  Data  files  (csv,  dat,  gbr,  ged,  ibooks,  key,  keychain,  pps,  ppt,  pptx,  sdf, 
tar, 

•  tax2012,  vcf,  xml) 

•  Audio  files  (aif,  iff,  m3u,  m4a,  mid,  mp3,  mpa,  ra,  wav,  wma) 

•  Video  files  (3g2,  3gp,  asf,  asx,  avi,  flv,  m4v,  mov,  mp4,  mpg,  rm,  srt,  swf, 

vob 

•  ,  wmv) 

•  3D  image  files  (3dm,  3ds,  max,  obj) 

•  Raster  image  files  (bmp,  dds,  gif,  jpg,  png,  psd,  pspimage,  tga,  thm,  tif, 
tiff,  yuv) 

•  Vector  image  files  (ai,  eps,  ps,  svg) 

•  Page  layout  files  (indd,  pet,  pdf) 

•  Spreadsheet  files  (xlr,  xls,  xlsx) 

•  Database  files  (accdb,  db,  dbf,  mdb,  pdb,  sql) 

•  Executable  files  (apk,  app,  bat,  cgi,  com,  exe,  gadget,  jar,  pif,  vb,  wsf) 

•  Game  files  (dem,  gam,  nes,  rom,  sav) 

•  CAD  files  (dwg,  dxf) 

•  CIS  files  (gpx,  kml,  kmz) 

•  Web  files  (asp,  aspx,  cer,  cfm,  csr,  css,  htm,  html,  js,  jsp,  php,  rss,  xhtml) 

•  Plugin  files  (crx,  plugin) 

•  Font  files  (fnt,  fon,  otf,  ttf) 

•  System  files  (cab,  cpl,  cur,  deskthemepack,  dll,  dmp,  drv,  icns,  ico.  Ink, 
sys) 

•  Settings  files  (cfg,  ini,  prf) 

•  Encoded  files  (hqx,  mim,  uue) 

•  Compressed  files  (7z,  cbr,  deb,  gz,  pkg,  rar,  rpm,  sitx,  tar.gz,  zip,  zipx) 

•  Disk  image  files  (bin,  cue,  dmg,  iso,  mdf,  toast,  vcd) 

•  Developer  files  (c,  class,  cpp,  cs,  dtd,  fla,  h,  java,  lua,  m,  pi,  py,  sh,  sin 

•  ,  vcxproj,  xcodeproj) 
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•  Backup  files  (bak,  tmp) 

•  Miscellaneous  files  (crdownload,  ics,  msi,  part,  torrent) 

Each  extension  was  used  as  a  search  term  against  both  sets  of  smartphones.  All 
files  that  matched  the  keywords  were  checked  for  user  data.  The  numbers  include  both 


user  data  and  system  data  (Table  12  &  13). 


II 

12 

13 

14 

15 

16 

17 

18 

Text  Files 

54/55 

54/55 

8/252 

20/53 

12/148 

8/40 

8/11 

15/50 

Data  Files 

406/406 

403/406 

73/355 

115/91 

73/1501 

73/107 

73/73 

73/147 

Audio  Files 

2007/2007 

2007/2007 

20/2673 

20/63 

20/1298 

20/1162 

20/20 

20/1190 

Video  Files 

0/0 

0/0 

0/9 

0/0 

0/9 

0/95 

0/0 

0/9 

3D  Image  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Raster  Image 

Files 

71/71 

71/71 

3/54 

2/4 

2/2 

2/2 

2/2 

2/4 

Vector  Image 

Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Page  Layout  Files 

18/18 

18/18 

7/28 

14/14 

7/7 

7/26 

7/7 

7/13 

Spreadsheet  Files 

0/0 

0/0 

0/0 

0/0 

0/1 

0/1 

0/0 

0/0 

Database  Files 

79/80 

80/87 

15/52 

60/60 

15/47 

14/51 

15/16 

15/58 

Executable  Files 

3/3 

3/3 

2/10 

2/6 

2/5 

2/4 

2/2 

2/6 

Game  Files 

2/2 

2/2 

2/5 

2/2 

2/4 

2/2 

2/2 

2/2 

CAD  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

GIS  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Web  Files 

211/211 

212/212 

13/13 

14/14 

12/13 

12/12 

12/12 

12/12 

Plugin  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Font  Files 

66/66 

66/66 

56/56 

47/47 

56/56 

56/56 

56/56 

56/56 

System  Files 

5/5 

6/6 

2/2 

2/2 

2/2 

2/2 

2/2 

2/2 

Settings  Files 

0/0 

0/0 

0/2 

0/0 

0/4 

0/38 

0/0 

0/1 

Encoded  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Compressed  Files 

2/2 

2/2 

7/7 

0/1 

0/5 

0/1 

0/1 

0/1 

Disk  Image  Files 

87/87 

87/87 

8/339 

14/14 

8/119 

8/35 

8/8 

8/59 

Developer  Files 

18/18 

19/19 

1/10 

1/9 

1/17 

1/1 

1/7 

1/11 

Backup  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Misc  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Table  12.  Search  result  (post-wipe/pre- wipe)  part  1 
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A9 

AIO 

All 

AI2 

AI3 

AI4 

AI5 

AI6 

118 

A20 

A2I 

A25 

Text  Files 

1/1 

14/14 

1/1 

141/142 

0/0 

0/0 

1/1 

0/0 

54/55 

0/0 

0/0 

66/552 

Data  Files 

0 

50/50 

0/0 

66/66 

1/1 

0/0 

0/0 

0/0 

406/406 

0/0 

0/0 

374/2479 

Audio  Files 

0/0 

1/1 

1/1 

68/68 

0/0 

2/2 

0/0 

0/0 

2007/2007 

0/0 

0/0 

1/1 

Video  Files 

0/0 

5/5 

0/0 

6/6 

10/10 

5/5 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

3D  Image  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Raster  Image  Files 

5/5 

716/716 

11/11 

1938/1938 

42/42 

15/15 

5/5 

616/616 

71/71 

0/7 

0/3 

70/88 

Vector  Image  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Page  Layout  Files 

0/0 

0/0 

0/0 

39/39 

0/0 

0/0 

0/0 

0/0 

18/18 

0/0 

0/0 

0/0 

Spreadsheet  Files 

0/0 

0/0 

0/0 

0/1 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Database  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

80/87 

0/0 

0/0 

0/0 

Executable  Files 

0/0 

95/95 

0/0 

7/7 

3/3 

1/1 

0/0 

0/0 

3/3 

0/0 

0/0 

75/77 

Game  Files 

0/0 

1/1 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

2/2 

0/0 

0/0 

0/0 

CAD  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

GIS  Files 

0/0 

0/0 

0/0 

69/69 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Web  Files 

0/0 

4/4 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

212/212 

0/0 

0/0 

0/0 

Plugin  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Font  Files 

0/0 

39/39 

0/0 

1/1 

0/0 

0/0 

0/0 

0/0 

66/66 

0/0 

0/0 

0/0 

System  Files 

0/0 

3/3 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

6/6 

0/0 

0/0 

0/0 

Settings  Files 

0/0 

1/1 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Encoded  Files 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Compressed  Files 

0/0 

22/22 

0/0 

20/20 

6/6 

0/0 

0/0 

0/0 

2/2 

0/0 

0/0 

3/3 

Disk  Image  Files 

0/0 

15/15 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

87/87 

0/0 

0/0 

0/0 

Developer  Files 

0/0 

10/15 

0/0 

22/22 

0/0 

0/0 

0/0 

0/0 

19/19 

0/0 

0/0 

12/12 

Backup  Files 

0/0 

13/13 

0/0 

24/25 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

177/1018 

Misc  Files 

0/0 

0/0 

0/0 

0/1 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

0/0 

Table  13.  Search  result  (post-wipe/pre- wipe)  part  2 
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No  files  with  the  keyword  “DELETED”  were  found  in  any  of  the  iPhones,  only 
on  the  Android  smartphones.  Most  of  the  tagged  files  were  text  files,  but  some  were  zip 
archives,  Adobe  PDE,  MP4  video,  and  Microsoft  Office  files.  All  files  containing  the 
keyword  “DELETED”  were  unreadable  and  did  not  include  any  user  data. 

User-generated  Word  and  Excel  files  were  found  as  email  attachments  on  the  pre¬ 
wipe  iPhones  (14,  15,  18)  but  these  files  were  properly  deleted  post-wipe.  A  significant 
amount  of  user-generated  files  were  recovered  from  two  of  the  post-wipe  Android 
smartphones  (AlO,  A12).  Both  included  Adobe  PDE  files,  Microsoft  Word  files, 
Microsoft  Excel  files,  MP4  Video  files  and  zip  archives.  All  of  these  files  were  user¬ 
generated  and  contained  sensitive  information  (user  name,  phone  number,  email  address, 
and  personal-video  footage).  Some  of  these  personal  files  were  located  at  the  top-level 
directory  just  like  the  tagged  files.  However,  most  of  them  were  found  in  the  directory 
‘\data\com.dropbox.android\file\scratch’.  The  AlO  Android  phone  contained  several 
documents  under  this  directory.  Dropbox  is  third-party  software  that  is  installed  by  the 
user  and  is  used  as  a  file  hosting  service  for  various  platforms.  The  software  client  creates 
a  local  folder  that  can  be  synchronized  across  multiple  platforms.  Piles  that  are  placed  in 
the  folder  are  synced  over  the  network  through  Dropbox  servers  [49].  None  of  the  user 
data  appears  to  have  been  deleted  from  the  Dropbox  folder.  The  same  number  of  files 
was  found  in  this  directory  pre-wipe. 

G.  DISCUSSION 

The  reset  did  a  good  job  of  removing  user-account  and  Wi-Pi  information 
associated  with  the  phones.  However,  it  did  not  fully  remove  photo  images,  audio  files, 
text  files,  website  login  information,  and  geolocation  data. 

The  UME-36  Pro  and  Physical  Analyzer  was  able  to  collect  a  large  variety  of  data 
after  the  factory  reset.  The  tool  was  able  to  recover  several  files  containing  user  data  or 
user  generated  text  files.  There  were  20  files  recovered  from  the  iPhones  and  2483  files 
recovered  from  the  Android  phones.  These  are  the  total  number  of  files  that  Cellebrite 
was  able  to  identify.  Text  and  audio  files  were  recovered  from  several  iPhones.  Other 
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kinds  of  user  data  were  left  behind  on  some  of  the  Android  phones,  including  audio,  text, 
and  picture  files.  Many  remaining  pictures  were  still  viewable,  and  some  remaining 
audio  files  could  still  be  played  back. 

The  string  search  using  the  grep  command  found  one  xml  file  on  an  Android 
phone.  The  xml  file  contained  user  login  and  password  information.  The  Cellebrite  tools 
did  not  identify  this  xml  file.  No  additional  files  were  found  from  the  iPhone  set  using 
this  method. 

The  Bulk  Extractor  helped  uncover  several  text  files  that  were  not  identified  by 
Cellebrite  or  the  string  search.  An  additional  157  user  files  were  recovered  from  the 
Android  phones.  Some  files  were  left  behind  by  third-party  applications  such  as  Dropbox. 
The  reset  removed  the  applications  but  some  user  data  was  left  behind  in  the  installed 
directory.  These  files  were  Microsoft  Office  files  (Word,  Excel),  Adobe  PDF’s  and  MP4 
video  files.  Bulk  Extractor  did  a  better  job  of  finding  email  addresses,  fax  numbers  and 
phone  numbers  within  files.  However,  the  additional  information  was  almost  always 
found  in  manuals,  acknowledgements,  service  agreements,  and  support  information  for 
system  software.  It  was  not  personal  user  information  but  developer  contacts  (@tech, 
©helpdesk)  and  tech  support  (1-800  numbers).  Several  text  files  could  be  viewed  with  a 
standard  text  viewer.  Some  files  contained  IP  addresses  and  domain  names.  Geolocation 
data  was  found  along  with  timestamps,  enabling  a  view  of  the  locations  the  phone  has 
been  used.  No  additional  files  were  discovered  on  the  iPhones. 

Cellebrite  identified  that  59%  of  the  files  were  removed  from  iPhones  and  47%  of 
the  files  were  removed  from  Android  phones  after  a  reset.  The  percentage  is  calculated 
from  the  total  number  of  files  pre-wipe  and  post- wipe.  It  is  based  off  of  the  total  number 
of  files  identified  and  listed  by  the  forensics  tools.  All  files  identified  by  both  tools  were 
manually  analyzed  and  counted. 
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V.  CONCLUSIONS  AND  FUTURE  WORK 


A.  CONCLUSION 

The  main  goal  of  this  thesis  was  to  analyze  residual  user  data  on  smartphones 
after  a  factory  reset.  A  total  of  21  smartphones  were  used  to  test  the  effectiveness  of  the 
reset.  The  experiment  was  successful  in  extracting  residual  user  data  from  the 
smartphones.  The  data  showed  that  factory  resets  do  not  remove  all  user  information.  A 
factory  reset  is  not  a  complete  wipe  of  the  device.  It  appears  to  only  remove  files  that  the 
operating  system  deems  as  user  generated.  If  this  is  the  case  the  reset  feature  does  not 
properly  categorize  user  information.  Anybody  who  has  access  to  commercial  forensics 
tools  could  collect  user  data  from  smartphones.  This  can  be  a  major  problem  for  some 
organizations.  The  military  and  the  active  duty  members  use  smartphones  on  a  daily  basis 
and  deal  with  sensitive  information.  This  can  become  a  serious  security  issue  and  needs 
to  be  addressed.  There  are  also  many  challenges  for  digital  forensics  investigations.  There 
is  a  large  variability  in  the  number  and  types  of  files  that  are  recoverable  from 
smartphones.  An  investigator  may  not  be  able  to  find  the  specific  file  or  evidence  needed 
for  the  case  even  when  much  personal  information  remains.  A  large  data  set  can  be 
recovered  from  a  phone,  but  these  data  files  might  be  files  that  already  existed  on  the 
device.  At  the  same  time,  not  finding  files  does  not  mean  evidence  is  not  present  on  the 
device.  The  files  could  be  unrecoverable  by  a  single  forensic  tool  and  a  single  experiment 
may  not  be  enough  to  recover  all  the  evidence.  Multiple  experiments  and  forensics  tools 
should  be  used  to  distinguish  a  wide  range  of  files  and  evidence. 

B.  RECOMMENDED  PROCEDURES 

We  conclude  that  a  “factory  reset”  as  currently  implemented  is  insufficient  for 
removing  personal  data  on  today’s  smartphones.  The  user  wanting  to  remove  all  such 
data  should  take  the  following  steps. 

Delete  cache  files,  browser  history  files,  and  browser  cookies.  Usually  this  can  be 
done  through  the  smartphone  settings  menu. 
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Manually  uninstall  all  third-party  software  and  review  its  directories  for  residual 
user  data  since  a  “factory  reset”  does  not  generally  affect  it.  Be  especially  careful  with 
off-site  backup  software  such  as  Dropbox  which  often  store  a  considerable  amount  of 
personal  data  of  a  user. 

Perform  a  “factory  reset”  for  the  smartphone. 

Check  possible  locations  of  remaining  copies  of  personal  files,  and  delete  any 
such  files  that  are  found,  since  generally  a  user  file  that  has  been  manually  copied  or 
moved  to  a  top-level  or  user-created  directory  will  not  be  erased  during  a  reset. 

Search  for  remaining  personal  user  files  by  their  common  extensions  (such  as 
“doc”,  “txt”,  and  “mp3”)  and  delete  them.  A  file  explorer  application  can  be  used  to  find 
these  files. 

Overwrite  deleted  data  and  possibly  unused  drive  storage  with  specialized 
software.  Zeroing  out  will  overwrite  free  space  where  deleted  files  are  stored.  This  will 
prevent  deleted  files  from  being  recovered. 

In  addition,  the  criticality  of  these  steps  can  be  reduced  if  the  smartphone  is 
password-protected  and  uses  OS-level  encryption  on  files.  Encryption  will  eliminate  the 
sensitivity  of  the  data  to  which  it  is  applied,  and  passwords  will  make  it  harder  to  access 
data  of  other  users.  The  Apple  iPhone  and  Google  Android  phone  provide  both  of  these 
with  their  smartphones. 

C.  FUTURE  WORK 

Possible  additional  work  can  be  done: 

•  A  larger  and  more  diverse  set  of  smartphones  (including  Blackberry, 
Windows  Phone,  Firefox  OS,  and  Ubuntu  Edge)  could  help  provide  a 
better  overview  of  the  strength  and  weaknesses  of  a  factory  reset.  The  new 
Cellebrite  UFED  Touch  hardware  supports  a  larger  range  of  smartphones 
and  is  compatible  with  MTP. 

•  Several  forensics  tools  were  tested  but  not  used  for  this  project.  Testing 
other  tools  against  Cellebrite  and  creating  a  cross  reference  between 
different  tools  may  produce  more  reliable  data. 


42 


•  This  thesis  did  not  explore  password  protection  or  encrypted  data  types. 
Additional  research  can  be  conducted  on  the  effectiveness  of  various 
encryption  types.  These  data  types  may  require  additional  tools  or  special 
techniques  to  decipher.  It  can  create  a  unique  challenge  for  forensics 
research. 

•  Other  security  techniques  can  be  tested  for  user-data  protections.  Several 
software  programs  (iErase  [50],  SHREDroid  [51])  claim  to  completely 
erase  the  internal  flash  memory  of  a  smartphone.  The  effectiveness  of 
these  can  be  tested  and  compared  against  the  finding  from  this  paper. 

•  A  targeted  analysis  can  be  done  on  third-party  software  solutions.  Backup 
software  solutions  can  be  further  investigated.  The  research  should  focus 
on  residual  data  left  by  third-party  software  after  a  factory  reset. 
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